Solved Trouble with "safe search" on a Mac

Infected operating system
macOS High Sierra 10.13.6
Infected device issues
Something called "safe search" appears to have hijacked the Safari web browser. I've spent the morning trying various things such as looking for unwanted extensions etc but nothing found. I deleted Chrome thinking that might be the issue. (demonstrating the limits of my knowledge) I've also sent a file to Malwarebytes technical support at their request. But if you have ideas, I'd be very grateful.

Lostagain

Level 1
Thread author
Jan 21, 2020
17
Hello Jack, and thank you for your offer of help - most kind. I'm not tech savvy but usually willing to have a go. Hopefully, this thread will be easily found by others with the same issue.
 
  • Like
Reactions: [correlate]

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Ok, let's see what's going on. Let's do a basic check:

1. Are there any malicious profiles installed on your Mac? To check:
  1. Go to System Preferences.
  2. Click Profiles.
  3. If there is any suspicious profile, select it and click the remove “” button in the lower-left corner. If there isn’t a Profiles icon, you don’t have any profiles installed, which is normal.
2. Let's see what's going on with Safari:

  1. In Safari, choose Preferences from the Safari menu.
  2. In the window that opens, click the General icon (if necessary)
  3. Questions:
    • What's your homepage?
    • What it says in the " New windows open with " field?
 
  • Like
Reactions: [correlate]

Lostagain

Level 1
Thread author
Jan 21, 2020
17
Ok, let's see what's going on. Let's do a basic check:

1. Are there any malicious profiles installed on your Mac? To check:
  1. Go to System Preferences.
  2. Click Profiles.
  3. If there is any suspicious profile, select it and click the remove “” button in the lower-left corner. If there isn’t a Profiles icon, you don’t have any profiles installed, which is normal.
2. Let's see what's going on with Safari:

  1. In Safari, choose Preferences from the Safari menu.
  2. In the window that opens, click the General icon (if necessary)
  3. Questions:
    • What's your homepage?
    • What it says in the " New windows open with " field?
homepage address is Apple

new windows open with Top Sites
 
  • Like
Reactions: [correlate]

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
And there is no profile installed on your Mac, right?
homepage address is Apple

new windows open with Top Sites
You're being redirected to this "safe search" page when you open your browser or a new tab? or when you search for something?
 
  • Like
Reactions: [correlate]

Lostagain

Level 1
Thread author
Jan 21, 2020
17
And there is no profile installed on your Mac, right?

You're being redirected to this "safe search" page when you open your browser or a new tab? or when you search for something?
Sorry, yes, nothing saying profile in system preferences. And yes, as soon as I search with Safari, the results are different to normal, with "safe search on" appearing top right.
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Sorry, yes, nothing saying profile in system preferences. And yes, as soon as I search with Safari, the results are different to normal, with "safe search on" appearing top right.

Open the Finder and type Shift+command+G. A pop-up box dubbed “Go to Folder” will appear.

Then, type the following three commands respectively:

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons

Click “Go” and check whether there is any weird looking plists files (properties file). Usually, it has the "adobe" tag name.
 
  • Like
Reactions: [correlate]

Lostagain

Level 1
Thread author
Jan 21, 2020
17
Open the Finder and type Shift+command+G. A pop-up box dubbed “Go to Folder” will appear.

Then, type the following three commands respectively:

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons

Click “Go” and check whether there is any weird looking plists files (properties file). Usually, it has the "adobe" tag name.
Sorry - do I type those commands all in the box separated by a space?
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Got that, can open Finder. I meant do I type each of those 3 commands separately and look at the properties files? (I'm not great at this).
Yes, you'll find in these folders a few files that end with the .plist extension. Check if there's any that seems suspicious, usually, they have the 'adobe' name but that's not always the case.
 
Last edited:
  • Like
Reactions: [correlate]

Lostagain

Level 1
Thread author
Jan 21, 2020
17
OK - 1st search produces 2 google and 2 hp things (hp is my printer)
2nd search produces some malware bytes things (only loaded today) and 2 paragon software things which I do not recognise
3rd search produces more including "adobe.fpsaud.plist" and 2 more paragon software things.
 

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Ok, let's get an EtreCheck report.

EtreCheck is a simple little app to display the important details of your system configuration and allows you to copy that information to the Clipboard.


Run it, and copy/paste here the report.
 

Lostagain

Level 1
Thread author
Jan 21, 2020
17
Ok, let's get an EtreCheck report.

EtreCheck is a simple little app to display the important details of your system configuration and allows you to copy that information to the Clipboard.


Run it, and copy/paste here the report.
Sorry to ask, very nervous now. This is safe, to send it to you?
 
  • Like
Reactions: Jack

Jack

Administrator
Verified
Staff Member
Well-known
Jan 24, 2011
9,377
Did EtreCheck found any malicious programs? If yes, in the Sidebar, click the Security button.
Locate and remove entries under Adware and Unsigned files. Click the “Remove” button. Restart computer.
 

Lostagain

Level 1
Thread author
Jan 21, 2020
17
Did EtreCheck found any malicious programs? If yes, in the Sidebar, click the Security button.
Locate and remove entries under Adware and Unsigned files. Click the “Remove” button. Restart computer.
Hello Jack, sorry to be suspicious, it's a horrible world. I had Apple support run diagnostics online and they confirm no Malware. Turns out this might be related to me changing broadband provider. Now looking at that.
 
  • Like
Reactions: Jack

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top